Bounties
Partners
Community
Info
limesurvey / limesurvey
Project repository
The most popular FOSS online survey tool on the web.
Submit a report
FIRST INTERACTION
WITHIN
5 DAYS
REVIEW
WITHIN
20 DAYS
FIX
WITHIN
35 DAYS
Permission vulnerability
Oct 18th 2023
nam-no
•
not applicable
Store XSS at Create Survey
Oct 11th 2023
lucaidau888
•
not applicable
Cross-site Scripting (XSS) - Stored in Create Survey(Share survey)
Oct 11th 2023
nam-no
•
not applicable
normal user can put servey to any group
Oct 11th 2023
ranjit-git
•
not applicable
privilege escalation bug to edit survey
Oct 30th 2023
ranjit-git
•
Critical
•
$75
Critical
•
$75
xss fix bypass of
Oct 10th 2023
ranjit-git
•
self closed
XSS in Survey menus (Menu icon type and Menu icon)
Dec 18th 2023
hainguyen0207
•
High
•
$40
High
•
$40
Store XSS in Label sets list version 6.2.11
Oct 9th 2023
hainguyen0207
•
High
•
$40
High
•
$40
Stored XSS
Oct 10th 2023
huu-cuong
•
not applicable
CSRF in Save Box Settings
Oct 30th 2023
hainguyen0207
•
Medium
•
$15
Medium
•
$15
Store XSS in "Add Question" function
Oct 8th 2023
trungg02
•
self closed
XSS still exists in Survey title (Version 6.2.9)
Oct 2nd 2023
hainguyen0207
•
self closed
CSRF In Copy Survey
Sep 30th 2023
hainguyen0207
•
High
•
$40
High
•
$40
CSRF edit Blacklist settings( YES to NO)
Oct 30th 2023
hainguyen0207
•
High
•
$40
High
•
$40
Cross-site Scripting (XSS) - Stored in (Create Survey/Add Group)
Oct 10th 2023
nam-no
•
not applicable
Store XSS when Edit label set
Oct 30th 2023
hainguyen0207
•
High
•
$40
High
•
$40
Privilege Escalation in Survey Group
Oct 2nd 2023
hainguyen0207
•
not applicable
CSRF in Reset Survery menus
Sep 28th 2023
hainguyen0207
•
High
•
$40
High
•
$40
CSRF in Export Themes function
Sep 28th 2023
lucaidau888
•
not applicable
The survey has expired but is still active
Sep 28th 2023
hainguyen0207
•
not applicable
CSRF in Export File Surveys
Sep 28th 2023
hainguyen0207
•
not applicable
Incorrect Authorization in User role
Oct 10th 2023
hainguyen0207
•
Medium
•
$15
Medium
•
$15
User sends email to group member, while not having general user group permission...
Nov 7th 2023
hainguyen0207
•
High
•
$40
High
•
$40
Add arbitrary users to the user group
Oct 10th 2023
hainguyen0207
•
High
•
$40
High
•
$40
Account past their expiration date are still active
Sep 26th 2023
hainguyen0207
•
High
•
$40
High
•
$40
Improper permission management
Sep 26th 2023
hainguyen0207
•
High
•
$40
High
•
$40
CSRF in User management function
Oct 10th 2023
trungg02
•
not applicable
CSRF in Export lable set function
Oct 10th 2023
trunggg02
•
not applicable
Store XSS in Survey menus (Version 6.2.9)
Sep 26th 2023
hainguyen0207
•
duplicate
High
Store XSS at Label sets list in (Version 6.2.7)
Oct 10th 2023
hainguyen0207
•
High
•
$40
High
•
$40
CSRF - User performed an unexpected sign out
Sep 22nd 2023
hainguyen0207
•
not applicable
Account past their expiration date are still active
Sep 26th 2023
hainguyen0207
•
self closed
IDOR - Users can change Administrator information (User ID = 1 )
Oct 30th 2023
hainguyen0207
•
Critical
•
$75
Critical
•
$75
Deleted account still has the right to create, delete other accounts (delete su...
Oct 30th 2023
hainguyen0207
•
High
•
$40
High
•
$40
Store XSS in Central participant management
Sep 19th 2023
hainguyen0207
•
High
•
$40
High
•
$40
boolean-based blind SQL injection
Oct 10th 2023
nishaaaap
•
not applicable
Reflected XSS in Central participant management
Sep 21st 2023
hainguyen0207
•
not applicable
Store XSS in Survey menus
Oct 30th 2023
hainguyen0207
•
High
•
$40
High
•
$40
Store XSS in add group
Sep 19th 2023
hainguyen0207
•
duplicate
High
Store XSS at Add dummy user
Sep 19th 2023
hainguyen0207
•
not applicable
Store DOM XSS when create survey
Sep 25th 2023
hainguyen0207
•
Medium
•
$15
Medium
•
$15
Store XSS at Label sets list
Sep 19th 2023
hainguyen0207
•
not applicable
Stored XSS in Configuration-User Managerment
Sep 19th 2023
nyeooo
•
not applicable
LimeSurvey v5.6.34 has a reflective XSS vulnerability
Sep 19th 2023
hebing123
•
not applicable
LimeSurvey v6.2.9-230925 has a storage based XSS vulnerability caused by importM...
Sep 25th 2023
hebing123
•
Medium
•
$15
Medium
•
$15
Old password is accepted as new password
Sep 18th 2023
th3l0newolf
•
not applicable
Input Validation Vulnerability Leading to Denial of Service in LimeSurvey v6.3.0...
Oct 30th 2023
hebing123
•
Medium
•
$15
Medium
•
$15
Improper Authorization in Import Question function
Oct 30th 2023
trongdaong24
•
High
•
$40
High
•
$40
Stored XSS via user's Username
Sep 25th 2023
williwollo
•
High
•
$40
High
•
$40
Reflected XSS in LimeSurvey via userid parameter
Sep 25th 2023
williwollo
•
High
•
$40
High
•
$40
privilege escalation bug to creation survey-group with others group as parent
Oct 30th 2023
ranjit-git
•
Critical
•
$105
Critical
•
$105
Reflected XSS in Alert Message Widget
Aug 18th 2023
tuannq2299
•
not applicable
Stored XSS in module named "Survey" in limesurvey/limesurvey
Aug 18th 2023
trunggg02
•
not applicable
see survey title and total record without access-code
Aug 18th 2023
ranjit-git
•
not applicable
user with view permission in group can delete user from this group
Aug 17th 2023
ranjit-git
•
not applicable
user with view permission in group can add user to this group
Aug 17th 2023
ranjit-git
•
not applicable
access survey information without access-code
Aug 17th 2023
ranjit-git
•
not applicable
xss in survey title
Aug 11th 2023
surayp
•
duplicate
Medium
xss in survey Administrator email address
Aug 11th 2023
surayp
•
not applicable
xss using survey end-url
Aug 11th 2023
ranjit-git
•
duplicate
High
Stored xss using survey welcome message
Aug 11th 2023
ranjit-git
•
not applicable
Stored Open Redirect in Dashboard of Users due to improper input sanitization
Jul 27th 2023
thirukrishnan
•
not applicable
Server-Side Request Forgery using Destination URL in Box Settings displayed in D...
Jul 24th 2023
thirukrishnan
•
self closed
Stored XSS in description of theme
Sep 25th 2023
nduy2110
•
High
•
$40
High
•
$40
IDOR make attacker can see others Notification
Jul 10th 2023
lujiefsi
•
self closed
XSS Reflected via import file funtion
Sep 25th 2023
aqngoc
•
High
•
$40
High
•
$40
Stored XSS via user's Full Name
Aug 1st 2023
nerrorsec
•
High
•
$40
High
•
$40
Unauthorized access to Survey menu entries
Sep 25th 2023
nerrorsec
•
High
•
$40
High
•
$40
Reflected XSS via "importFormat" parameter
Aug 10th 2023
nerrorsec
•
High
•
$40
High
•
$40
CSRF in Question Themes function
Sep 25th 2023
tuannq2299
•
Medium
•
$15
Medium
•
$15
The user can put their survey in the survey groups even though this survey group...
Aug 10th 2023
trongdaong24
•
High
•
$40
High
•
$40
Able to change survey group's code that is by default unchangeable
Jul 21st 2023
trongdaong24
•
not applicable
Improper Authorization in add role function leads to privilege escalation
Aug 18th 2023
aqngoc
•
Medium
•
$15
Medium
•
$15
Incorrect Authorization to Stored XSS in Import User Role function
Aug 1st 2023
aqngoc
•
High
•
$40
High
•
$40
Stored XSS in Survey Group function
Jun 29th 2023
tuannq2299
•
duplicate
High
IDOR in View User Detail
Jul 19th 2023
tuannq2299
•
not applicable
Stored XSS
Jun 29th 2023
aqngoc
•
duplicate
High
Stored XSS on Survey "Notification and data function"
Jul 10th 2023
hiu240900
•
Medium
•
$15
Medium
•
$15
Improper Authorization in Take Ownership function
Jun 28th 2023
aqngoc
•
duplicate
High
Improper Authorization in Export role function
Jul 19th 2023
aqngoc
•
Medium
•
$15
Medium
•
$15
IDOR in Group members
Aug 10th 2023
tuannq2299
•
Medium
•
$15
Medium
•
$15
Stored XSS in label function
Jul 10th 2023
tuannq2299
•
Medium
•
$15
Medium
•
$15
CSRF in the delete notification function
Jul 10th 2023
tuannq2299
•
Medium
•
$15
Medium
•
$15
IDOR in notification function
Jul 10th 2023
tuannq2299
•
Medium
•
$15
Medium
•
$15
The user can export/import Role without permissions
Jun 27th 2023
trongdaong24
•
duplicate
High
Xss stored and HTML injection
Jun 23rd 2023
nilabhrajpoot
•
spam
Sensitive Information leaked in Source.
Jun 23rd 2023
nilabhrajpoot
•
not applicable
Stored XSS in module named "List Survey"
Jun 23rd 2023
trunggg02
•
duplicate
High
Able to edit users owned by other administration users
Jul 3rd 2023
trongdaong24
•
High
•
$40
High
•
$40
Stored XSS in the delete confirmation popup
Jul 3rd 2023
aqngoc
•
Medium
•
$15
Medium
•
$15
The ability to edit groups owned by any user.
Jul 19th 2023
trongdaong24
•
Medium
•
$15
Medium
•
$15
Improper Authorization leads to privilege escalation
Jul 3rd 2023
aqngoc
•
High
•
$40
High
•
$40
Incorrect Authorization leads to delete user
Jul 3rd 2023
aqngoc
•
High
•
$40
High
•
$40
The user can delete himself
Jun 19th 2023
trongdaong24
•
Medium
•
$15
Medium
•
$15
Able to change username that is by default unchangeable
Jun 26th 2023
trongdaong24
•
Medium
•
$15
Medium
•
$15
Store XSS in Title Label
Jun 14th 2023
anh91
•
not applicable
Stored XSS in Survey Groups Function
Jun 26th 2023
tuannq2299
•
Medium
•
$15
Medium
•
$15
Stored XSS vulnerability found in the question editing feature.
Jun 14th 2023
trongdaong24
•
not applicable
Stored XSS vulnerability
Jun 26th 2023
aqngoc
•
Medium
•
$15
Medium
•
$15
Stored XSS in End page
Jul 10th 2023
yujitounai
•
Medium
•
$15
Medium
•
$15
Weak Server SIde controls on User Action
May 3rd 2023
mohitkumar0786
•
spam
Possible Email HTML Injection
May 3rd 2023
mrempy
•
not applicable
Weak Password Requirements
May 3rd 2023
mrempy
•
informative
Medium
CSRF Leading to reset Boxes
Jun 26th 2023
mdakh404
•
Medium
•
$15
Medium
•
$15
CKeditor 4.20.2 in use which is vulnerable to CVE-2023-28439
Jun 19th 2023
popcorn94
•
Low
•
$5
Low
•
$5
Able to change admin email and password without current password validation.
Apr 17th 2023
rac-fckscty
•
Medium
•
$15
Medium
•
$15
Stored XSS in survey settings
Mar 31st 2023
007nicky
•
not applicable
XSS - stored in Survey title
Mar 31st 2023
ch1nhpd
•
not applicable
Reflected XSS in LimeSurvey
Apr 3rd 2023
peymankf
•
High
•
$40
High
•
$40
Stored xss while changing theme twig files
Apr 6th 2023
shellinjector
•
not applicable
Cross site scripting in adding questions
Mar 22nd 2023
ghostbit11
•
not applicable
CSV Injection in CSV files generated by the backend
Mar 27th 2023
lujiefsi
•
Medium
•
$15
Medium
•
$15
Upload Plugin with Path Traversal to RCE + Delete all files in webroot
Mar 22nd 2023
nguyendangtoan
•
not applicable
XSS @ Timer
Mar 22nd 2023
hatlesswizard
•
not applicable
Stored XSS via Group Name
Mar 22nd 2023
nerrorsec
•
not applicable
XSS via answer options
Mar 22nd 2023
nerrorsec
•
not applicable
Stored XSS in Notification and Data Management
Mar 27th 2023
nerrorsec
•
Medium
•
$18
Medium
•
$18
Vulnerable javascript dependency used in adminsidepanel.js
Apr 3rd 2023
khanhchauminh
•
Low
•
$5
Low
•
$5
Information Exposure through Source Code
Feb 27th 2023
khanhchauminh
•
self closed
stored xss
Feb 26th 2023
memmedrehimzade
•
not applicable
Bypass IP detection lead to perform brute-force attack
May 31st 2023
nhienit2010
•
Medium
•
$15
Medium
•
$15
Stored Xss in Question field
Feb 26th 2023
error-2001
•
self closed
Multiple XSS Stored
Feb 26th 2023
cupc4k3
•
not applicable
Bootstrap-switch 3.3.2 in use which is vulnerable to XSS
Feb 27th 2023
popcorn94
•
Low
•
$5
Low
•
$5
Jquery UI 1.13.1 in use which is vulnerable to CVE-2022-31160
Feb 27th 2023
popcorn94
•
Low
•
$5
Low
•
$5
Host header injection leads to account take over
Feb 20th 2023
hunt3r0x
•
spam
No Rate Limit On Forgot [Password and Username] Lead to Email Boombing
Feb 19th 2023
sl4x0
•
spam
UI REDRESSING
Feb 19th 2023
ctflearner
•
spam
xss using question content
Feb 19th 2023
ranjit-git
•
not applicable
xss using survey name
Feb 19th 2023
ranjit-git
•
not applicable
stored xss
Feb 20th 2023
ranjit-git
•
Medium
•
$18
Medium
•
$18
reflected xss
Feb 20th 2023
ranjit-git
•
Medium
•
$15
Medium
•
$15
Stored Cross-Site Scripting in survey administrator name
Feb 20th 2023
ar6aaz
•
Medium
•
$15
Medium
•
$15
Cross-site Scripting (XSS) - Stored
Feb 20th 2023
0x7zed
•
not applicable
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0
